Skip to content

SCRAM Java 3.3

Choose a tag to compare

@jorsol jorsol released this 04 Jun 15:33
Immutable release. Only release title and notes can be modified.
f6bd6e2

๐Ÿ”’ Security

  • Prevent silent downgrade attacks during channel binding negotiation via unsupported certificate algorithms. GHSA-p9jg-fcr6-3mhf
  • Harden memory security by explicitly zeroing out highly sensitive cryptographic keys (saltedPassword, clientKey, and serverKey) immediately following the client final message exchange to prevent lingering material in heap memory.

๐Ÿš€ New features

  • Implement an interrupt-aware implementation of the PBKDF2 'hi' function introducing ScramInterruptedException, utilizing a stride-based check to allow long-running cryptographic operations to safely abort without blocking thread shutdown.
  • Introduce .channelBindingPolicy() to the client builder to explicitly configure DISABLE, ALLOW (default), and REQUIRE enforcement modes.
  • Introduce MechanismNegotiationException and ChannelBindingException runtime exception hierarchy to provide granular, precise failure types for driver integration loops instead of relying on generic IllegalArgumentException throws.
  • Add support for RSASSA-PSS server certificate signature extraction to ensure modern cryptographic algorithms are supported during tls-server-end-point channel binding computations.
  • Add support for SCRAM-SHA3-512 and SCRAM-SHA3-512-PLUS SASL mechanisms to provide modern NIST SHA-3 hashing standards with higher cryptographic resilience against length-extension attacks (supported on modern JVMs only).

๐Ÿ—๏ธ Improvements

  • Update the saslprep dependency to 2.4.
  • Updated internal Maven plugins and project dependencies to their latest stable versions.